Date: Wed, 5 Nov 2003 13:52:51 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 41480 for review Message-ID: <200311052152.hA5Lqp6L047361@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=41480 Change 41480 by rwatson@rwatson_tislabs on 2003/11/05 13:52:45 Attempt to trim SEBSDisms from trustedbsd_mac without trimming from trustedbsd_sebsd. This should leave the diffs between MAC and SEBSD branches being the differences necessary to add SEBSD, rather than a subset. More commits to come. Affected files ... .. //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#8 edit .. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#30 edit Differences ... ==== //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#8 (text+ko) ==== @@ -4,7 +4,7 @@ PROG= login SRCS= login.c login_fbtab.c CFLAGS+=-DLOGALL -DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} ${LIBSEBSD} +DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} LDADD= -lutil -lcrypt ${MINUSLPAM} MAN= login.1 login.access.5 BINOWN= root ==== //depot/projects/trustedbsd/mac/usr.bin/login/login.c#30 (text+ko) ==== @@ -68,7 +68,6 @@ #include <libutil.h> #include <login_cap.h> #include <pwd.h> -#include <sebsd.h> #include <setjmp.h> #include <signal.h> #include <stdio.h> @@ -80,7 +79,6 @@ #include <security/pam_appl.h> #include <security/openpam.h> -#include <security/sebsd/flask.h> #include "login.h" #include "pathnames.h" @@ -497,62 +495,6 @@ } /* - * Determine if we must execute a transition when we - * run our shell, for MAC policies which require it. For now, - * this is just SEBSD, and therefore not generic at all. - * When using SEBSD, the terminal device needs to be relabeled - * according to what the security server reports. - */ - if (sebsd_enabled()) { - char *labeltext, *queried, *oldttylabeltext, *tty_queried, - **contexts; - size_t ncontexts; - mac_t newttylabel; - int n; - - if (get_ordered_context_list(username, NULL, &contexts, - &ncontexts) != 0 || ncontexts == 0) - goto nosebsd; - if (query_user_context(pamh, contexts, ncontexts, - &queried) != 0 || - asprintf(&labeltext, "sebsd/%s", queried) == -1 || - mac_from_text(&execlabel, labeltext) != 0) { - syslog(LOG_ERR, "Determining SEBSD domain transition:" - " %m"); - bail(NO_SLEEP_EXIT, 1); - } - free(labeltext); - mac_prepare(&oldttylabel, "sebsd"); - if (mac_get_file(ttyn, oldttylabel) != 0 || - mac_to_text(oldttylabel, &oldttylabeltext) != 0) { - syslog(LOG_ERR, "Getting SEBSD label on terminal " - "%s: %m", ttyn); - bail(NO_SLEEP_EXIT, 1); - } - if (security_change_context(queried, oldttylabeltext + - sizeof("sebsd/") - 1, SECCLASS_CHR_FILE, - &tty_queried) != 0 || - asprintf(&labeltext, "sebsd/%s", tty_queried) == -1) { - syslog(LOG_ERR, "Determining SEBSD label for terminal " - "%s: %m", ttyn); - bail(NO_SLEEP_EXIT, 1); - } - free(oldttylabeltext); - free(tty_queried); - for (n = 0; n < ncontexts; n++) - free(contexts[n]); - free(contexts); - if (mac_from_text(&newttylabel, labeltext) != 0 || - mac_set_file(ttyn, newttylabel) != 0) { - syslog(LOG_ERR, "Setting SEBSD label on terminal " - "%s: %m", ttyn); - bail(NO_SLEEP_EXIT, 1); - } - mac_free(newttylabel); - } -nosebsd: - - /* * Destroy environment unless user has requested its * preservation - but preserve TERM in all cases */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311052152.hA5Lqp6L047361>